Wednesday, June 15, 2011

Debricking WRT54G v8

Objective: Regain WRTG54v8 router functionality.

Problem: Bricked after a bad dd-wrt flash.

Additionals: JTAG cable, 12pins header, Tornado's TJTAG 3.0, TFTP.

Walkthrough:
[Methods]
Hard reset (30/30/30) :
  1. Press and hold the reset button for 30 seconds.
  2. Keep holding the reset button and unplug power cable from router and hold for another 30 seconds.
  3. Keep holding the reset button and plug the power cable back and hold for the last 30 seconds.
This resets to default settings and cleans the NVRAM.
Default settings implies resetting the LAN ip to 192.168.1.1 which will allow you to TFTP flash.

Installing Tornado's TJTAG :
  1. [tjtag-3.0.1.zip] ftp://dd-wrt.com/others/tornado/jtag/
    [tjtagx64-install.zip] http://www.dd-wrt.com/phpBB2/viewtopic.php?p=390360
  2. If your windows is 32bit download the first file and extract it.
    Copy giveio.sys to /windows/system32/drivers/
    Execute loaddrv.exe, append giveio.sys and click Start - This will allow TJTAG to probe the serial bus.
  3. If your windows is 64bit, download the second file from dd-wrt forum.
    Extract it, navigate to /InpOutBinaries_1200/Win32/ and execute InstallDriver.exe
Flash via TFTP :
  1. tftp 192.168.1.1
  2. >binary
  3. >rexmt 1
  4. >timeout 60
  5. >put dd-wrt.v24_micro_generic.bin
Should appear something like: Sent 1769472 bytes in 3.4 seconds.

[Behavior]
First of all, check what are the behaviors of your bricked router. Connect to router with a ethernet cable and manually configure your connection with the last known working settings.
  • If you don't remember the settings go to @Step 1.
  • If you are able to establish the connection, ping your router, if you get responses go to @Step 13. If you don't get any response do a 30/30/30 hard reset and try again if unsuccessful go to @Step 1.
[Steps]
  1. Solder the 12pin header to your router.
  2. Connect the JTAG cable to the 12pin header and to your computer's Serial port.
  3. [Install TJTAG]
  4. Open CMD and navigate to the folder containing tjtag exe.
  5. Run tjtag -probeonly, it should display info about your router. If it doesn't detect your flash chip, try to run this command right after pluging the power to the router.
  6. Run tjtag -erase:wholeflash twice, do the immediate command running in the step above if necessary.
  7. Get the correct CFE.bin for your router in ftp://ftp.barryware.net/cfe%20collection%20project/ user:dd-wrt password:router
  8. Rename to CFE.bin if necessary and move it to the same folder which contains tjtag exe.
  9. Run tjtag -flash:cfe /noemw /nocwd /noreset
  10. After finishing, power cycle and do a 30/30/30 hard reset. The leds should be off.
  11. Connect via ethernet to your router.
  12. ping 192.168.1.1 If you get a latency, means it worked and we will be able to tftp flash it.
  13. Search your router model at http://www.dd-wrt.com/site/support/router-database
  14. Download tftp utility and dd-wrt.v24_micro_generic.bin.
  15. [Flash via TFTP]
  16. Power cycle and do a 30/30/30 hard reset.
  17. Connect to 192.168.1.1 and it should now appear the dd-wrt management. Change user and password.
  18. Done.

Tuesday, June 14, 2011

Proxify terminal commands and/or applications

Objective: Use commands such as wget, apt-get, etc under a SSH proxy.

Problem: There's no option to run them natively under a proxy or configure it.

Walkthrough:
1 - Download tsocks ($sudo apt-get install tsocks)

2 - Proxify: ($sshpass -p password ssh account@IP -p port -D dynamic_port)
sshpass allows to pass a password into the interactive shell that ssh uses.

3 - Configure tsocks conf file.
### Begin file /etc/tsocks.conf
server = 127.0.0.1
# Server type defaults to 4 so we need to specify it as 5 for this one
server_type = 5
# The port defaults to 1080 but I've stated it here for clarity
server_port = dynamic_port
###End of file /etc/tsocks.conf

4 - Run any commands with tsocks as prefix.
E.g. $tsocks pidgin

Booting BackTrack 5 GNOME Live from HDD

Objective: Booting a BT5 Gnome live session directly from HDD with GRUB2

Problem: iso-scan/filename from lupin-casper scripts for casper are missing from the BT5 Gnome iso image.

Additionals: ORDER.sh

Walkthrough:
1 - Extract /casper/initrd.gz from the BT5.iso to a child folder.

2 - Since it's a .gz compressed file. We will use @1 script, it assumes that initrd.gz file is in the parent folder and you are in a child folder.
@1 $zcat ../initrd.gz | cpio -i -d
@2 $lzma -dc -S .lz ../initrd.lz | cpio -imvd --no-absolute-filenames

3 - Extract & merge /lupin/casper/scripts/ folder from lupin-casper files with the child folder.
(https://launchpad.net/ubuntu/+archive/primary/+files/lupin_0.32.tar.gz)

4 - Use [ORDER.sh] script with ./ORDER.sh inside the /scripts/ folder of the child folder.
### Begin file [ORDER.sh]
MainDIR=$(find . -type d)
for childDir in $MainDIR
do
echo $childDir
rm $childDir/ORDER > /dev/null 2>&1
childDirFiles=$(find $childDir -type f | sort -u)
for scripts in $childDirFiles
do
echo "/scripts/"`basename $childDir`"/"`basename $scripts` >> $childDir/ORDER
echo "[ -e /conf/param.conf ] && . /conf/param.conf" >> $childDir/ORDER
done
done
### End of file [ORDER.sh]
4.1 - This file recreate the ORDER file inside the scripts folders to add the lupin-casper scripts.

5 - Inside the child folder execute @3 to create the new initrdiso.gz in the parent folder.
@3 $find . | cpio -o -H newc | gzip -9 > ../initrdiso.gz

6 - Editing /boot/grub/grub.cfg [not recommended :3]
### Begin grub.cfg
menuentry "BackTrack 5 - GNOME" {
loopback loop (hd0,2)/home/galtzer/BT5-GNOME-64.iso
linux (loop)/casper/vmlinuz boot=casper iso-scan/filename=/home/galtzer/BT5-GNOME-64.iso text
initrd (hd0,2)/home/galtzer/Desktop/initrdiso.gz
##initrd (loop)/casper/initrd.gz
}
### End of file